Free Rainbow Tables | Forum

Home of the Distributed Generator and Cracker
It is currently 24 Apr 2014, 05:14

All times are UTC + 1 hour [ DST ]




Post new topic Reply to topic  [ 15 posts ] 
Author Message
 Post subject: Problem with NTLM hashes
PostPosted: 18 May 2012, 21:17 
Offline
Shoulder Surfer

Joined: 18 May 2012, 20:58
Posts: 8
Hi to everyone,
I really tried to find the solution to my own issue: in this forum, testing, googling, etc. But nothing... I have to quest you!
For testing purposes of rainbow tables (I am curious person :P) I generated a user on an Windows XP trying to break NT hash (not the LM one). The password is obviously known, then I downloaded a rainbow table set that can cover that charset and length (ntlm), specifically these directories from the GARR:

ntlm_hybrid2(loweralpha#7-7,numeric#1-3)#0-0_0/
ntlm_hybrid2(loweralpha#7-7,numeric#1-3)#0-0_1/
ntlm_hybrid2(loweralpha#7-7,numeric#1-3)#0-0_2/
ntlm_hybrid2(loweralpha#7-7,numeric#1-3)#0-0_3/

(If I remember correctly, the password hidden by the hash is perrete11, that, as you can see, is covered by the downloaded rainbows).
I launched samdump2 for linux to extract the corresponding NT hash.

Code:
root@localhost:~# samdump2 /mnt/C/WINDOWS/system32/config/SYSTEM /mnt/C/WINDOWS/system32/config/SAM
[...]
pruebaNT:1007:0ab5078d2ea64381c2265b23734e0dac:fa6ad7ba82fb8937ff730ced95b00994:::
root@localhost:~#


I'm then picking the second hash appearing there.
Then I launched:

Code:
rcracki_mt -h fa6ad7ba82fb8937ff730ced95b00994 -s rcracki_TEST2 ntlm_hybrid2\(loweralpha#7-7\,numeric#1-3\)#0-0_?/*.rti2


After all the process and going through all the tables, no result is found! I've also tried with another password with anothers rainbow tables (ntlm_loweralpha-numeric#1-10) and the result is the same!!!
All the tables were passed through the md5sum check!
Or I am very unlucky or I'm doing something wrong... xD

What is happening?

Thanks in advance to you all.


Top
 Profile  
 
 Post subject:
Posted: 20 May 2012, 02:27 


Top
  
 
PostPosted: 20 May 2012, 02:27 
Offline
Rainbow Table

Joined: 22 Sep 2010, 18:54
Posts: 249
Location: United States
Quote:
If I remember correctly, the password hidden by the hash is perrete11

The plaintext of fa6ad7ba82fb8937ff730ced95b00994 is perrete1, not perrete11

Although that's still covered by the keyspace.. (I had to look up the naming of hybrid2 tables so I might be wrong)

Rainbow tables are probabilistic so using the combined _0 to _3 you have a ~99.9% chance of finding a password in the table's keyspace, so it could just be that 1/1000 chance.


Top
 Profile  
 
PostPosted: 20 May 2012, 10:21 
Offline
Shoulder Surfer

Joined: 18 May 2012, 20:58
Posts: 8
Thanks for your reply.
With which table you figured out the plaintext?
The problem is that I'm wondering why the result is not found!
I tested other hashes though...
May be the self-compiled version? May I have to upgrade to a beta one?
Is the command spawned right?

Code:
rcracki_mt -h fa6ad7ba82fb8937ff730ced95b00994 -s rcracki_TEST2 ntlm_hybrid2\(loweralpha#7-7\,numeric#1-3\)#0-0_?/*.rti2


Top
 Profile  
 
PostPosted: 20 May 2012, 11:14 
Offline
Shoulder Surfer

Joined: 20 May 2012, 09:53
Posts: 7
I have exactly the same problem with these tables (hybrid2), i dont seem to find my very easy passwords from my NT hashes using rcracki_mt

I might be sayig something very stupid, but my system (and perhaps yours) is x64, perhaps that's where the problem comes from ?


Top
 Profile  
 
PostPosted: 20 May 2012, 11:58 
Offline
Shoulder Surfer

Joined: 18 May 2012, 20:58
Posts: 8
gar wrote:
I might be sayig something very stupid, but my system (and perhaps yours) is x64, perhaps that's where the problem comes from ?


I think it makes sense... but my system is 32-bits though! [ rcracki_mt compiled from source! ]
I'm running another try just right now, with another test user generated for the purpose.


Top
 Profile  
 
PostPosted: 20 May 2012, 12:03 
Offline
Shoulder Surfer

Joined: 20 May 2012, 09:53
Posts: 7
Hi again,
I just tried the debug mode, and something strange popped in :

ntlm_hybrid2(loweralpha#7-7,numeric#1-3)#0-0_0_15000x67108864_distrrtgen[p][i]_06.rti2:
Debug: Saving 119992 bytes of memory for chainwalkset.
Debug: This is a table in .rti2 format.
Debug: Allocated 1073741824 bytes, filelen 420428280
Debug: reading...
Chain Position is now 67108864
402653184 bytes read, disk access time: 34.90 s
Debug: verifying the file...
rainbow chain length verify fail
Debug: writing progress to rcracki.progress


I guess something has to do with the fact these files are hybrid2 ....


Top
 Profile  
 
PostPosted: 20 May 2012, 12:04 
Offline
Shoulder Surfer

Joined: 18 May 2012, 20:58
Posts: 8
Tried with hash 9FC6AD85BDFED4CEE9101CE3F2A230E2 patatas23

No result found within the rainbows (from _0_ to _3_).
Tried with beta too... this eloquent error is fired:

Code:
# rcracki_mt_0.7_beta2_src/rcracki_mt -h 9FC6AD85BDFED4CEE9101CE3F2A230E2 -t 2 ntlm_hybrid2\(loweralpha#7-7\,numeric#1-3\)#0-0_?/*.rti2 -v -v

[...]

ntlm_hybrid2(loweralpha#7-7,numeric#1-3)#0-0_0_15000x67108864_distrrtgen[p][i]_00.rti2
Debug: Saving 119992 bytes of memory for chainwalkset.
Debug: This is a table in .rti2 format.
Debug: Allocate 859441992 bytes, filelen 420419986
Debug: reading...
Killed


What's the matter with all this?!


Top
 Profile  
 
PostPosted: 20 May 2012, 12:18 
Offline
Shoulder Surfer

Joined: 18 May 2012, 20:58
Posts: 8
gar wrote:
rainbow chain length verify fail


Same for me with debug enabled (-v).


Top
 Profile  
 
PostPosted: 20 May 2012, 12:33 
Offline
Shoulder Surfer

Joined: 20 May 2012, 09:53
Posts: 7
viewtopic.php?t=3401

let's try that i guess


Top
 Profile  
 
PostPosted: 21 May 2012, 11:45 
Offline
Shoulder Surfer

Joined: 18 May 2012, 20:58
Posts: 8
Have just tried with a rcracki_mt compiled after cloning the gitorius repository.
The debug error disappeared, but the result still cannot be found!
Someone have some ideas about this?

Now I'm launching another test with the same version of rcracki_mt using another non-hybrid tables, specifically the ntlm_loweralpha-numeric#1-10 series.

@gar: have you performed some interesting test?


Top
 Profile  
 
PostPosted: 21 May 2012, 19:00 
Offline
Shoulder Surfer

Joined: 20 May 2012, 09:53
Posts: 7
I'm working under windows, nothing wanted to compile despite all my efforts, i still have some broken links (related to open ssl), i'm downloading a non hybrid table to try with it as well.


Top
 Profile  
 
PostPosted: 23 May 2012, 10:47 
Offline
Shoulder Surfer

Joined: 18 May 2012, 20:58
Posts: 8
After the weekend I've discovered that rcracki_mt has been killed.
I'm not sure why is this happening: but I think that the system is short in memory (1GB in a live minimal linux distro) to manage such a huge table.
I will try to limit even more the memory rcracki_mt uses with -m.
Every news will be really appreciated!


Top
 Profile  
 
PostPosted: 25 May 2012, 11:04 
Offline
Shoulder Surfer

Joined: 18 May 2012, 20:58
Posts: 8
Code:
result
-------------------------------------------------------
9fc6ad85bdfed4cee9101ce3f2a230e2        patatas23       hex:706174617461733233
c815029fab0895cac477fadda46e811d        descactus       hex:646573636163747573


Results found with rcracki_mt from gitorious and ntlm_loweralpha-numeric#1-10 !!!!
I will try downloading another hybrid table and try a test hash with that one!


Top
 Profile  
 
PostPosted: 25 May 2012, 12:10 
Offline
Shoulder Surfer

Joined: 20 May 2012, 09:53
Posts: 7
Hi,

I got it working with non-hybrid2 tables, i really need to get this gitorious thing for hybrid2 ones.

Gar


Top
 Profile  
 
PostPosted: 25 May 2012, 12:57 
Offline
Shoulder Surfer

Joined: 20 May 2012, 09:53
Posts: 7
Hi,
Sorry Karimo, not sure this is related to you since you are a linux user

but for those who wanted to run rcracki_mt beta 0.7 and got a bunch of problems, here are the dlls that should be used, please place them under windows/system folder (normally empty).

Attachment:
rcracki.rar [606.18 KiB]
Downloaded 434 times


rti2 hybrid2 files no longuer cause the chain length problem.

Kindly,
Gar


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 15 posts ] 

All times are UTC + 1 hour [ DST ]


Who is online

Users browsing this forum: Google [Bot] and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group